Texas city warns thousands of utility payment site breach

At least 12,000 people had sensitive financial information stolen by hackers who secretly implanted malicious code into the utility payment website of the city of Lubbock, Texas.

The city began sending breach notification letters to victims across the country this week, explaining that the people impacted include anyone who made a utility payment between December 18, 2024, and January 6, 2025. That includes those who paid utilities bills for water, wastewater, storm water and solid waste.

The hackers stole names, billing addresses, payment card numbers, CVVs and expiration dates.

According to the letters, the payment website is hosted by a third-party vendor and city officials discovered on January 6 that a malicious actor “created a fake pop-up window on the [City of Lubbock Utilities] payment website, which requested credit card payment information from users.”

“Customers attempting to make payments on the legitimate COLU payment website were being directed to the fake pop-up window between December 18, 2024, and January 6, 2025,” officials said.  

“Although the City has accounted for all payments made during this period and no payments were delayed, this incident may have allowed the malicious actor to collect payment card information from individuals who entered their details in the fake pop-up window during this timeframe.”

The city did not respond to a request for comment. 

Texas’ state data breach portal said 12,503 people in Texas were affected but notices were filed in several other states including Vermont. Lubbock has a total population of about 270,000 people. 

The letters do not say which third-party vendor was behind the breach but they note that the hackers did not breach the city’s internal network. 

In the past, hackers used skimmers which were physical devices installed on payment terminals, however, since the start of the COVID-19 pandemic and the increased popularity of e-commerce, hackers have adapted and are now using e-skimmers, which is a malicious code inserted into an e-commerce website used to steal data inputted into the payment field — most recently impacting the website of the Green Bay Packers.

Cybersecurity experts at Recorded Future track the exposure of payment cards stolen by hackers and sold on the dark web each month. The Record is an editorially independent unit of Recorded Future.

For March, threat actors posted 16 million card records for sale on the dark web sources, representing an increase compared to February.

“We also observed five million freely posted full card records on Telegram” the payment fraud intelligence team said. “Additionally, we observed over 150,000 stolen US checks being posted on Telegram, 19% of which were new and unique”.

Another large Texas organization, the State Bar of Texas, announced a data breach this week impacting at least 2,700 people in the state. Sensitive data like Social Security numbers, passports, credit card numbers and more were stolen in the attack, which was claimed by the Inc ransomware gang one month ago.